Disable CG in non-prod branches #13214
Conversation
|
Just curious, CG tools already understand the difference between "production" and "non-production" branches. Is that not covering your scenario? |
There's a long email thread w/ Tactics and more people on it about this very topic. The systems no longer work that way @garath. |
Ah I had a feeling that I was missing part of the convo. Thanks for the answer! |
|
Test builds for new approach: non-prod branch - Should skip CG (no arcade injected task, auto-injected task should be skipped due to variable) |
|
Whoops, gotta account for OS when setting the variable, another iteration incoming |
|
New builds: non-prod branch - Should skip CG (no arcade injected task, auto-injected task should be skipped due to variable) |
|
One more iteration because I realized that at least one of the steps in |
|
Alright, latest builds behaved how I'd expect. @dougbu any concerns with the current approach? |
|
|
||
| steps: | ||
| - ${{ if eq(parameters.disableComponentGovernance, 'true') }}: | ||
| - script: "echo ##vso[task.setvariable variable=skipComponentGovernanceDetection]true" |
There was a problem hiding this comment.
Could you explain how this works or link to the successful test builds❔ I expected the variable would need to be set around https://github.com/dotnet/arcade/pull/13214/files#diff-22da7e3800f8d77bccd75b181def1385123174ef4a38a7ccbd7a3d7317580c12R162 i.e., before the default injection logic runs (which is effectively the first step of any pipeline).
There was a problem hiding this comment.
There was a problem hiding this comment.
In that build, click on Windows on the left side, open job preparation parameters, then head down to line 163. You'll see a long line that ends w/ a check of the variable:
Evaluating:
and(
eq(resources['repositories']['self']['ref'], resources['repositories']['self']['defaultBranch']),
eq(resources['repositories']['__designer_repo']['ref'], resources['repositories']['__designer_repo']['defaultBranch']),
or(eq(resources['repositories']['self']['type'], 'Git'),
eq(resources['repositories']['__designer_repo']['type'], 'Git'),
eq(resources['repositories']['self']['type'], 'Github'),
eq(resources['repositories']['__designer_repo']['type'], 'Github'),
eq(resources['repositories']['self']['type'], 'GitHubEnterprise'),
eq(resources['repositories']['__designer_repo']['type'], 'GitHubEnterprise')),
ne(variables['PREVENT_RUNNING_CG'], 'true'),
ne(variables['skipComponentGovernanceDetection'], 'true'))
If the variable were set in job.yml's variables expansion (as we did at https://github.com/dotnet/aspnetcore/blob/bec278eabea54f63da15e10e654bdfa4168a2479/.azure/pipelines/jobs/default-build.yml#L164-L165), the step should be removed entirely. That's more efficient and avoids noise in the build display. Unfortunately, it's not working 😦
In any case and as I think about this more, I doubt there's anyone w/ a strange need to use the auto-injected task b/c it's so limited e.g., it only handles 'main' and runs in public builds too. You could simplify things and unconditionally set the variable in job.yml.
Due to the current bug around auto-injection (it worked when we changed dotnet/aspnetcore), this isn't worth holding up the PR.
|
/backport to release/6.0 |
|
/backport to release/7.0 |
|
Started backporting to release/6.0: https://github.com/dotnet/arcade/actions/runs/4756248514 |
|
Started backporting to release/7.0: https://github.com/dotnet/arcade/actions/runs/4756249367 |
|
@wtgodbe backporting to release/6.0 failed, the patch most likely resulted in conflicts: $ git am --3way --ignore-whitespace --keep-non-patch changes.patch
Applying: Disable CG in non-prod branches
Applying: Use a template instead
Using index info to reconstruct a base tree...
M eng/common/templates/job/job.yml
M eng/common/templates/jobs/jobs.yml
Falling back to patching base and 3-way merge...
Auto-merging eng/common/templates/jobs/jobs.yml
Auto-merging eng/common/templates/job/job.yml
CONFLICT (content): Merge conflict in eng/common/templates/job/job.yml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 Use a template instead
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
|
@wtgodbe backporting to release/7.0 failed, the patch most likely resulted in conflicts: $ git am --3way --ignore-whitespace --keep-non-patch changes.patch
Applying: Disable CG in non-prod branches
Applying: Use a template instead
Using index info to reconstruct a base tree...
M eng/common/templates/job/job.yml
Falling back to patching base and 3-way merge...
Auto-merging eng/common/templates/job/job.yml
CONFLICT (content): Merge conflict in eng/common/templates/job/job.yml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 Use a template instead
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
|
@wtgodbe an error occurred while backporting to release/6.0, please check the run log for details! Error: git am failed, most likely due to a merge conflict. |
|
@wtgodbe an error occurred while backporting to release/7.0, please check the run log for details! Error: git am failed, most likely due to a merge conflict. |
| - template: /eng/common/templates/steps/component-governance.yml | ||
| parameters: | ||
| ${{ if eq(parameters.disableComponentGovernance, '') }}: | ||
| ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.runAsPublic, 'false'), or(contains(variables['Build.SourceBranch'], 'internal/release'), eq(variables['Build.SourceBranch'], 'main'))) }}: |
There was a problem hiding this comment.
Doesn't the 'Build.SourceBranch' contain the full branch name?
eq(variables['Build.SourceBranch'], 'main') ---> eq(variables['Build.SourceBranch'], 'refs/heads/main')
contains(variables['Build.SourceBranch'], 'internal/release') ---> startsWith(variables['Build.SourceBranch'], 'refs/heads/internal/release')
| parameters: | ||
| ${{ if eq(parameters.disableComponentGovernance, '') }}: | ||
| ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), eq(parameters.runAsPublic, 'false'), or(contains(variables['Build.SourceBranch'], 'internal/release'), eq(variables['Build.SourceBranch'], 'main'))) }}: | ||
| disableComponentGovernance: false | ||
| ${{ else }}: | ||
| disableComponentGovernance: true | ||
| componentGovernanceIgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }} |
There was a problem hiding this comment.
Shouldn't it have something like
disableComponentGovernance: ${{ parameters.disableComponentGovernance }}
in the non-empty case to pass the value through? (We are getting CG warnings in our internal superpmi-collect pipeline that tries to pass this through to job.yml.)
Disables Component Governance except in internal builds of branches named
mainorinternal/release/*. Repos who want to opt in to other branches running CG can set thedisableComponentGovernanceparameter in their .yml file (Same with dev branches). I tested this in EFCore and all the scenarios I tried worked. Note that repos like aspnetcore that use thejob.ymltemplate instead ofjobs.ymlwill also have to manually set thedisableComponentGovernanceparam. We should backport this to 6 and 7 once approved